Oracle's Critical Patch Update includes 127 fixes, 51 alone for Java

Oracle's Critical Patch Update includes 127 fixes, 51 alone for Java

Summary: Oracle's Critical Patch Update (CPU) has been released, and if you use any type of Oracle software -- including Java -- you're likely to need it.

TOPICS: Security, Oracle

Oracle's Critical Patch Update (CPU) in the quarterly cycle has been released, and includes a mammoth 127 security fixes -- including 51 for Java.

This is the first time that Java is being patched with other Oracle products -- including the E-Business Suite, MySQL and the Primavera Products Suite. Previously, Java was updated every four months.

The October CPU release includes fixes for a variety of software applications -- basically all of them in enterprise server-related product families:

  • Oracle Database
  • Oracle Fusion Middleware
  • Oracle Enterprise Manager
  • Oracle Applications - E-Business Suite
  • Oracle Applications - Oracle Supply Chain, PeopleSoft Enterprise, Siebel and iLearning Products Suite
  • Oracle FLEXCUBE Products Suite
  • Oracle Health Sciences Products Suite
  • Oracle Retail Products Suite
  • Oracle Primavera Products Suite
  • Oracle Java
  • Oracle MySQL

Arguably, the most important vulnerability fixes within this update is Java, considering the vast number of consumers who use the software worldwide. Out of the 51 fixes on offer, 50 are related to Java Applets and Java WebStart, which are used when you run the applications in your web browser. Many security experts argue that while Java is a useful application, it should be disabled in your browser, where it represents a constant security risk. 

Worryingly, 12 of the vulnerabilities being patched in this update have the most urgent, critical CVSSv2 score of 10, which indicates that these flaws can be exploited so others can gain access over a network without authentication, as warned by CTO of cloud security firm Qualys Wolfgang Kandek.

Kandek writes:

"The majority of vulnerabilities are concentrated on the Java client side, i.e. in desktop/laptop deployments, with the most common attack vector being web browsing and malicious web pages, but there are two highly critical vulnerabilities that also apply to server installations – CVE-2013-5782 and CVE-2013-5830. The new version is Java 7 update 45, and you should update as quickly as possible on your desktop and laptop machines."

While some versions of Java update themselves, others do not, so it is worthwhile checking to see what version your operating system runs. Despite the confusion, Oracle "strongly recommends that customers apply CPU fixes as soon as possible." 

Over at Sophos Naked Security, Chester Wisniewski is less-than-impressed at the mammoth security update, commenting:

"If your reputation is this poor and you expose more than a billion users to your flaws, you need to respond more quickly. Microsoft and Adobe both patch monthly and together have less than 50 vulnerabilities fixed per quarter on average. Oracle, it's time to step up your game."

The next CPU update is scheduled for 14 January, 2014.

Topics: Security, Oracle

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Oh NOOOO!!!

    Not another Java update!
    It might be OK for corporate installations, but retail users are being overwhelmed.
    Half the calls I get (and it happened to me as well) are from clients where the Java Update appeared to work, but it did not install properly.
    I fixed the problem then recommended turning the Java Update OFF.
    It's worse than the Adobe Reader/Acrobat, and that's a pain as well. and NO, Linux is NOT an option for most of my clients.
    • End users should just uninstall java. If youre still using some service

      that requires it dump them. No one who cares about their customers still requires them to have java installed. If your business still requires it they should fire their CIO. Businesses have had a decade of knowing the jre is a piece of crap and they should have been off it long before now. Still being saddled with it is a sign your IT department it being run by a bunch of fools who are a decade behind the curve. They should also have stopped using it for server app development by now. If they haven't be prepared for hackers to come in and crash your servers. The next time your CIO tells you a currently underway or proposed backend server app either requires java itself or will require its users to have java installed tell him/her its time they found another job outside of the technology sector and tell them to clean out their desk.
      Johnny Vegas
      • Narrow Minded

        They should come out with more quality updates, more often. No one can deny that.

        However, when you said that we should fire my superior, there are 2 things wrong with that. I can't fire my superior. I also can't move away from Java until our third party moves away from java (they provide our products that we sell which we then validate, buy, activate through their software). The systems we integrate with on a third party's systems have been rickety since IE8 came out. I'm not part of the third party's development team, nor can we switch suppliers at the drop of a hat. Our company revolves around 1 supplier and our contracts prohibit us from selling other suppliers' products. Therefore we have to rely on Java to do their part and fix bugs since it is imperative we use their software.

        Get off your one track mind and think critically. Not everything is black and white and easily switchable, decades behind or not. Our IT department doesn't have a choice in the third party systems we deal with unless we actually run and develop for them. At home, you maintain and run all the systems for every website, server, and develop your own software? Sure, throw Java to the curb and pick up .NET or PHP but at work, Java reigns.

        By the way, we haven't had one problem with a hacker. Not a one, zip, zilch, nada. Everything we have encountered is via social engineering.
  • Java

    I subscribe to (a game site) and more than half of the games do not load because of Java 7_40. It installs all right but does not verify. My nex step is to cancel my subscription and disable Java.
  • Linux is safe

    these are only windoze vulnerabilities.
    LlNUX Geek
    • surely you're trolling

      The much touted benefit of Java has always been code once, run on any system...... the same applies for malicious code. Just because java isn't currently being exploited in the same manner on linux doesn't mean it isn't possible. The Jacksbot malware is one minor example of cross platform malware using Java vulnerabilities.

      Java is often run on linux web/app servers which aren't always updated, and this could provide another attack vector.
    • Errr

      And you are a fool. There was no Java update for Linux?
  • Too little, too late, too bad

    I found out that, as I no longer really NEEDED Java for what I did on the Internet day by day, it became nothing more than a bit of wasted hard drive space -- so I junked it.
  • Must be a surplus bunch of astroturf about

    What with the stupid posts and all. But, mitigating this, this is zdnet, so one cannot expect all that much.
  • Effort vs State

    I am more concerned that Oracle sees the vulnerabilities in Java, and comes up with patches for it, than the number of vulnerabilities found in the software. Oracle should be commended for their efforts at resolving problems with their software, their current, perceived security condition notwithstanding. Personally I see my notebook consuming more data bundles updating my Windows 7 / Ubuntu 13.04 OSes with security patches, than I ever do Java on either.
    Also, I have yet to see comments talking about configuring the Java Consoles for more secure deployments, suggesting that most of us are commenting from the default configuration standpoint.
  • Buggy crap

    Java is off my home computers. It is on my work computers only because a dump app requires it.
    It beat out Chrome for most vulnerabilities fixed so far this year in a single update. Chrome v30 fixed just 50 security issues.